BigID: New privacy regulations have ended 'the data party'

The 'data party' era of enterprises indiscriminating, collecting, storing and selling users' personal information is coming to an end, according to BigID.

A New York-based startup, BigID was formed in 2015 with the goal of improving enterprise data management and protection in the age of GDPR and the California Consumer Privacy Act (CCPA). The company, which won the 2018 Innovation Sandbox Contest at RSA Conference, recently raised $50 million in Series C funding. Now BigID is expanding its mission to help enterprises better understand and control their data amid new privacy regulations.

BigID co-founder and chief product officer Nimrod Vax talks with SearchSecurity about how new regulations have effectively ended the data party. He also discusses BigID's launch, its future and whether data protection is getting easier or harder.

Editor's note: This interview has been edited for length and clarity.

How was BigID founded?

Nimrod Vax: Dimitri [Sirota, CEO] and I were the company's two founders. At my last kind-of real job I was head of the identity product line at CA, and at the time CA acquired Dimitri's company, Layer 7 Technologies. That's how we met, so we got to work together on challenges of customers around identity management and security. After we left CA, at the time, there was a big surge of breaches of personal information through incidents like the Ashley Madison scandal and LinkedIn and Twitter. And what was really surprising about those breaches was that they were breaches of what you would think is very sensitive information. It wasn't nuclear plans or anything; it was really just lists of names and addresses and phone numbers, but it was millions and billions of them. The following year, there were four billion personal records stolen. And the question that we asked ourselves was that with all of these security tools that are out there, why are these breaches still happening? And we learned that data protection tools that were available at the time and even today were not purposely built to protect and discover and manage personal information. They were really very generic and were not built for that. And also, these scandals kind of raised visibility and awareness of privacy. The legislation has picked up and we have GDPR coming and later CCPA, so we've identified the opportunity to help software organizations address those needs and meet the requirements of these regulations.

What does BigID do?

Vax: BigID's aim is to help organizations better understand what data they store about their customers and in general, and then allow them to take action on top of that and comply with regulations and better protect the data and better manage it to get more value out of the data. In order to do that, BigID is able to connect all data sources. We have over 60 different connectors to all the things you could even think about that you may have in an IT organization. All of the relational databases, all of the unstructured data sources, semistructured data, big data repositories, anything in AWS, business applications like SAP, Salesforce, Workspace, you name it. We connect to anything, and then search for and classify the data. We first and foremost catalog everything so you have a full catalog of all the data that you have. We classify that data, and tell you what type of data that is -- where do you have user IDs? Where do you have phone numbers? We help to cluster it, so we can find similar types of data without knowing anything about the data; just knowing the content that's similar to other data that helps cluster it. Our claim to fame is our ability to correlate it. We can find Social Security numbers whose Social Security number it is and that allows you to distinguish between customer data, American data, European resident data, children or adult information, and also being able to know who's data it is for access rights and who to notify regarding a breach.

The solution is specifically built on premises, but it's a modern enterprise software. It's completely containerized and documented for containers. It automatically scales up and down and doesn't require any agents on the endpoint; it connects using open APIs, and we don't copy the data -- we just house the data and that's important because we don't want to create a security problem. We also don't want to incur a lot of additional storage.

And lastly, and I think this is very important, the discovery layer is all exposed to a well-documented set of APIs so that you can query that information and make it accessible to applications, and we build applications on top of that.

We're obviously generating more and more user data every single day. Does data protection and data governance become exponentially harder as time goes on? And if so, how do you keep up with that explosion of user data?

Vax: One of the problems that led to BigID was the fact that organizations now have the knowledge and technology that allow them to store unlimited amounts of data. If you look at big data repositories, it's all about storing truckloads of data; organizations are collecting as much as they can and they're never deleting the data. That is a big challenge for them, not only to protect the data but even to gain value from the data. Information flows into the organization through so many different channels -- from applications, from websites and from partners. Different business units are collecting data and they're not consolidating it, so all the goodness of the ability to process all that data comes with a burden. How do I make more use of that data? How do I consolidate the data? How do I gain visibility into the data I own and have access to? That complexity requires a different approach to data discovery and data management, and that approach first requires you to be big data native; you need to be able to run in those big data repositories natively and not have to stream the data outside like the old legacy tools; you need to be able to scan data at the source, at the ingestion point, as data flows into these warehouses. What we recently introduced [with Data Pipeline Discovery] is the ability to scan data streams in services like Kafka or [AWS] Kinesis so as the data flows into those data lakes, we're able to classify that data and understand it.

Regarding the CCPA, how much impact do you think it will have on how enterprise data is governed?

Nobody wants to be on the board of shame of the CCPA.

Vax: We're seeing that effect already, and it goes back to the data party that's been happening in the past five years. There's been a party of data where organizations have collected as much data as they wanted without any liabilities or without any guardrails around them. Now with the CCPA and GDPR, they are bringing that additional layer of governing. You can still collect as much information as you want, but you need to protect it. You have obligations to the people from whom you are collecting the data, and that brings more governance to the data process. Now organizations need to be much more careful about that. The organization needs to have more visibility into the data not because it's good to have it but because we have to have it for the regulations; you can't protect, you can't govern, and you can't control what you don't know, so that's the big shift in the approach that CCPA brings to the table. Organizations are already getting prepared for that. We're already seeing the effect that organizations are taking it very seriously and they don't want to be the first ones to be dinged by the regulation. It's not even the financial impact. It's more reputational impact they are concerned about; nobody wants to be on the board of shame of the CCPA. They want to send a message to their customers that they care about privacy -- not that they're careless about it. I think that's the big impact that we're seeing.

What do the next 12 months look like for the company?

Vax: We're growing rapidly both in product and in staff and in general -- I think we're about 150 people now. Last year, I think we were less than 30. We're continuing to grow, and that growth is in two areas: on the product side and on extending to additional audiences. We are continuing to invest in our core discovery capabilities. We're also building more apps. We're going to solve more difficult problems in privacy and security and governance. We're also extending to new audiences. Today, we are primarily focusing on building solutions or offerings for developers so that they can leverage our API and building process. For the next area, we are focusing on putting built-in privacy into the applications seamlessly with zero friction.